All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] cryptodisk: Fix Coverity use after free bug
@ 2022-01-01 21:48 Glenn Washburn
  2022-01-13 18:44 ` Daniel Kiper
  0 siblings, 1 reply; 2+ messages in thread
From: Glenn Washburn @ 2022-01-01 21:48 UTC (permalink / raw)
  To: Daniel Kiper, grub-devel; +Cc: Glenn Washburn

The Coverity output is:

  *** CID 366905:  Memory - illegal accesses  (USE_AFTER_FREE)
  /grub-core/disk/cryptodisk.c: 1064 in grub_cryptodisk_scan_device_real()
  1058      cleanup:
  1059       if (askpass)
  1060         {
  1061           cargs->key_len = 0;
  1062           grub_free (cargs->key_data);
  1063         }
  >>>     CID 366905:  Memory - illegal accesses  (USE_AFTER_FREE)
  >>>     Using freed pointer "dev".
  1064       return dev;
  1065     }
  1066
  1067     #ifdef GRUB_UTIL
  1068     #include <grub/util/misc.h>
  1069     grub_err_t

Here the 'dev' variable can point to a freed cryptodisk device if the
function grub_cryptodisk_insert() fails. This can happen only on a OOM
condition, but when this happens grub_cryptodisk_insert() calls grub_free on
the passed device. Since grub_cryptodisk_scan_device_real() assumes that
grub_cryptodisk_insert() is always successful, it will return the device,
though the device was freed.

Change grub_cryptodisk_insert() to not free the passed device on failure.
Then on grub_cryptodisk_insert() failure, free the device pointer. This is
done by going to the label 'error', which will call cryptodisk_close() to
free the device and set the device pointer to NULL, so that a pointer to
freed memory is not returned.

Signed-off-by: Glenn Washburn <development@efficientek.com>
---
Having reviewed the Coverity error, I believe this is the fix needed to resolve
the use after free reported by Coverity. However, I do not currently have
Coverity setup, so I don't have a way to test if this is both necessary and
sufficient to resolve the Coverity error. Regardess, I do believe that is does
fix a real use after free bug.

Glenn
---
 grub-core/disk/cryptodisk.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index 497097394..e7c4795fd 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -889,10 +889,7 @@ grub_cryptodisk_insert (grub_cryptodisk_t newdev, const char *name,
 {
   newdev->source = grub_strdup (name);
   if (!newdev->source)
-    {
-      grub_free (newdev);
-      return grub_errno;
-    }
+    return grub_errno;
 
   newdev->id = last_cryptodisk_id++;
   newdev->source_id = source->id;
@@ -1044,7 +1041,9 @@ grub_cryptodisk_scan_device_real (const char *name,
     if (ret != GRUB_ERR_NONE)
       goto error;
 
-    grub_cryptodisk_insert (dev, name, source);
+    ret = grub_cryptodisk_insert (dev, name, source);
+    if (ret != GRUB_ERR_NONE)
+      goto error;
 
     goto cleanup;
   }
-- 
2.27.0



^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] cryptodisk: Fix Coverity use after free bug
  2022-01-01 21:48 [PATCH] cryptodisk: Fix Coverity use after free bug Glenn Washburn
@ 2022-01-13 18:44 ` Daniel Kiper
  0 siblings, 0 replies; 2+ messages in thread
From: Daniel Kiper @ 2022-01-13 18:44 UTC (permalink / raw)
  To: Glenn Washburn; +Cc: grub-devel

On Sat, Jan 01, 2022 at 03:48:25PM -0600, Glenn Washburn wrote:
> The Coverity output is:
>
>   *** CID 366905:  Memory - illegal accesses  (USE_AFTER_FREE)
>   /grub-core/disk/cryptodisk.c: 1064 in grub_cryptodisk_scan_device_real()
>   1058      cleanup:
>   1059       if (askpass)
>   1060         {
>   1061           cargs->key_len = 0;
>   1062           grub_free (cargs->key_data);
>   1063         }
>   >>>     CID 366905:  Memory - illegal accesses  (USE_AFTER_FREE)
>   >>>     Using freed pointer "dev".
>   1064       return dev;
>   1065     }
>   1066
>   1067     #ifdef GRUB_UTIL
>   1068     #include <grub/util/misc.h>
>   1069     grub_err_t
>
> Here the 'dev' variable can point to a freed cryptodisk device if the
> function grub_cryptodisk_insert() fails. This can happen only on a OOM
> condition, but when this happens grub_cryptodisk_insert() calls grub_free on
> the passed device. Since grub_cryptodisk_scan_device_real() assumes that
> grub_cryptodisk_insert() is always successful, it will return the device,
> though the device was freed.
>
> Change grub_cryptodisk_insert() to not free the passed device on failure.
> Then on grub_cryptodisk_insert() failure, free the device pointer. This is
> done by going to the label 'error', which will call cryptodisk_close() to
> free the device and set the device pointer to NULL, so that a pointer to
> freed memory is not returned.
>
> Signed-off-by: Glenn Washburn <development@efficientek.com>

Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

Daniel


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-01-13 18:44 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-01 21:48 [PATCH] cryptodisk: Fix Coverity use after free bug Glenn Washburn
2022-01-13 18:44 ` Daniel Kiper

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.